Pillar 023
Email Security & Threats
Guard your ship at all costs. Phishing, spoofing, and malware are the pirates of the email seas. Learn how to defend your domain, protect your subscribers, and sail with confidence.
Fundamentals of Email Security
- What is email security?
- Why does email need protection?
- What are the biggest threats to email systems today?
- What’s the difference between spam and phishing?
- What are inbound vs outbound email threats?
- How do mailbox providers detect malicious messages?
- How do domain owners protect their reputation from spoofing?
- What’s the difference between authentication and encryption?
- What are “attack surfaces” in email?
- How does email security overlap with deliverability?
Spoofing
- What is email spoofing?
- How does spoofing work technically?
- What are the different types of spoofing (header, display name, domain)?
- How do spammers fake sender identities?
- What is “friendly name spoofing”?
- How can DMARC prevent domain spoofing?
- What does a spoofed header look like?
- How can you tell if an email is spoofed?
- What’s the difference between spoofing and impersonation?
- Can SPF or DKIM alone stop spoofing?
- What is a spoofing attack using lookalike domains?
- How do scammers register visually similar domains (homoglyphs)?
- How can spoofing bypass weak authentication setups?
- How do ESPs detect spoofed senders?
- What tools help detect spoofing attempts?
Phishing
- What is email phishing?
- What is phishing?
- How does phishing differ from spam?
- What is whaling?
- What is business email compromise (BEC)?
- What is clone phishing?
- What is brand impersonation phishing?
- How do phishing kits work?
- What are phishing landing pages?
- How do phishing emails evade filters?
- What’s the difference between malicious and deceptive links?
- What is URL obfuscation?
- What are signs of a phishing email?
- How do companies train employees against phishing?
- How do mailbox providers identify phishing patterns?
- How do blocklists detect phishing URLs?
- What is DMARC’s role in phishing prevention?
- How do users report phishing to Gmail or Outlook?
- What is anti-phishing intelligence sharing (APWG)?
Malware & Payload Attacks
- What is malware in email?
- What are common email-based malware types (Trojans, ransomware, worms)?
- What is a malicious attachment?
- What are macro-enabled document attacks?
- What are ZIP or ISO attachment attacks?
- What is a drive-by download?
- How do attackers use compressed files to evade filters?
- How do antivirus engines scan emails?
- What’s the difference between attachment scanning and link scanning?
- What are sandbox environments for email?
- How do security gateways neutralize payloads?
- What is a phishing link that drops malware?
- How does URL reputation protect against malware links?
- What is SPF/DKIM’s role (or lack thereof) in malware detection?
- How does quarantine differ from deletion?
Spam & Bulk Abuse
- What are common spam types (commercial, scams, affiliate)?
- How do spammers harvest email addresses?
- What are spam bots?
- What is snowshoe spam?
- What is hit-and-run spam?
- What is “list bombing”?
- What is spam trap seeding?
- What is content obfuscation in spam?
- How do spam filters evolve over time?
- What is Bayesian spam filtering?
- What are machine learning spam filters?
- How does engagement factor into spam detection?
- How can legitimate senders get caught in spam filters?
- What are “spam fingerprints”?
Domain Impersonation & Lookalike Attacks
- What is a lookalike domain?
- What is typosquatting?
- What is IDN homograph spoofing?
- How do scammers use Unicode characters to trick users?
- What’s the difference between cousin domains and mirror domains?
- How can you detect lookalike domains in your brand?
- What tools monitor for impersonation domains?
- How can DMARC alignment reduce domain impersonation?
- How can BIMI be used for brand defense?
- How do phishing kits deploy lookalike domains at scale?
- How can WHOIS data help identify malicious domains?
- How to report impersonation domains?
- How to take down a fake domain (abuse reports, ICANN, registrars)?
- How can redirection attacks mask lookalike domains?
- What’s “visual similarity abuse” (logos, colors, etc.)?
Credential & Identity Theft
- What is credential theft?
- How do phishing emails steal credentials?
- What is account takeover (ATO)?
- How do attackers gain access to sending infrastructure?
- How do compromised ESP accounts cause widespread spam?
- What’s the risk of weak API keys or tokens?
- What is OAuth token abuse?
- How can SPF/DKIM be bypassed after compromise?
- How can users detect unauthorized login attempts?
- How do mail providers lock accounts post-compromise?
- What is 2FA (Two-Factor Authentication) in email security?
- What is password spraying or credential stuffing?
- How does password reuse enable compromise?
- What are signs of internal compromise in an ESP or MTA?
Ransomware & Extortion Emails
- What is ransomware?
- How does ransomware spread via email?
- What are ransom phishing scams (fake threats)?
- How do extortion email scams work?
- How do fake “hacked your webcam” scams operate?
- What are sextortion scams?
- How do Bitcoin wallet threats get distributed?
- How do filters detect ransom or blackmail patterns?
- What’s the difference between scareware and ransomware?
- How can DMARC reduce fake “from yourself” ransom emails?
- How do spoofed “CEO” ransom requests work?
- How can mailbox rules be abused for ransomware persistence?
- How to report ransomware-related phishing emails?
Security Frameworks & Tools
- What are email security gateways?
- What is Mimecast?
- What is Barracuda?
- What is Cisco IronPort?
- What is Microsoft Defender for Email?
- What are EDR and MDR tools?
- What is sandbox detonation in email security?
- What is header anomaly detection?
- What is real-time URL rewriting?
- What is domain reputation scoring?
- What are brand monitoring tools for phishing detection?
- What are DMARC enforcement platforms (DMARCian, EasyDMARC, etc.)?
- How can SOC teams use DMARC data?
- What are SIEM integrations for email logs?
- What are the limits of gateway-based protection?
Detection & Response
- How can you identify a compromised sending domain?
- How can you detect unusual sending patterns?
- What are warning signs of compromise?
- What are forensic email headers?
- How to perform header forensics?
- What’s the difference between header and body analysis?
- What is anomaly detection in outbound traffic?
- How can DMARC RUF reports support incident response?
- What are best practices for handling phishing reports?
- What’s the process for triaging abuse reports?
- How to handle false positives (legit emails marked as phishing)?
- How to communicate with affected users or clients?
- How to recover brand trust after a phishing attack?
- What metrics indicate successful remediation?
Human Behavior & Social Engineering
- What is social engineering?
- What are common psychological tricks in phishing?
- What is urgency bias?
- What is authority bias in scams?
- Why do people fall for fake invoices or CEO requests?
- What is the “fear of missing out” (FOMO) tactic in phishing?
- How do scammers exploit curiosity or flattery?
- How do attackers localize social engineering for different regions?
- What are “emotionally engineered” subject lines?
- How can awareness training reduce attacks?
- What’s the impact of internal phishing simulations?
- What’s “phish fatigue”?
- How can marketing teams accidentally teach bad behavior (CTA mimicry)?
Threat Intelligence & Data Sharing
- What is threat intelligence in email?
- How do anti-abuse teams share data?
- What are feed-based blocklists?
- What is real-time reputation sharing?
- What are STIX/TAXII standards?
- What are reputation APIs?
- What is abuse desk automation?
- What are domain reputation feeds?
- How do SOCs integrate threat data?
- How do ESPs share threat indicators internally?
- What are public threat reporting channels?
- What are industry collaboration programs (M3AAWG, GCA, APWG)?
- How does data sharing improve global deliverability?
Security Awareness & Prevention
- What are email security awareness programs?
- What’s the best way to train employees on phishing?
- What’s simulated phishing training?
- How often should security awareness training be done?
- What is a phishing simulation vendor (e.g., KnowBe4)?
- What are metrics for awareness success?
- How can marketers help educate users?
- What are warning banners in corporate email?
- What is “report phishing” button training?
- How can SMBs implement affordable awareness programs?
- What’s the ROI of phishing awareness programs?
Future of Email Security
- How will AI change phishing detection?
- What are deepfake email threats?
- Will AI voice cloning appear in email scams?
- Will authentication evolve to cryptographic identity (DID)?
- Will biometrics replace passwords in email login?
- Will quantum computing break current encryption?
- Will mailbox providers automate user-level reporting?
- Will domain reputation become globalized?
- Will spam disappear, or just evolve?
- Will AI-authenticated communication become mandatory?
Security Indicators (Auth-Results)
Brand Protection & Takedowns
Abuse Desk Operations (ARF Reports)
Compromised Accounts & Bot Signups
- How do email accounts get compromised?
- What are the signs of a compromised sending account?
- How can compromised accounts damage sender reputation?
- How can I prevent account compromise (e.g., MFA)?
- What are malicious bot signups?
- How can bots harm my email list and reputation?
- How can I prevent bot signups (e.g., CAPTCHA, honeypots)?
Trust beats tactics.
Review My Emails · Email Almanac